!
Purpose & Capability
The skill bundle claims to be a Feishu (Lark) skills collection and legitimately needs Feishu App ID/Secret and a Clawdbot gateway token for the bridge; however the registry metadata lists no required environment variables while the README/SKILL.md and many code files clearly require FEISHU_APP_ID, FEISHU_APP_SECRET (or secret file), and access to the local Clawdbot config. This mismatch between declared metadata and actual requirements is incoherent and increases risk.
!
Instruction Scope
SKILL.md/README instruct users to store secrets under ~/.clawdbot/secrets and update ~/.claude/mcp.json and to run bridge service. Code reads local config and secret files, connects to a local gateway, and forwards message content to Clawdbot. There are also risky runtime behaviors: a handler uses child_process.execSync to call send.js with interpolated event values (possible shell injection if event fields are attacker-controlled), multiple scripts read arbitrary files (../../.env, ~/.clawdbot files), and a few scripts include hard-coded app/appToken strings. The instructions give the agent broad ability to read and act on local files and to create persistent services.
ℹ
Install Mechanism
There is no centralized install spec (skill is instruction + code). Installing typically requires copying directories and running npm install inside sub-skill directories. Dependencies come from public npm (e.g., @larksuiteoapi/node-sdk, ws, node-fetch) — traceable but should still be installed locally. No arbitrary binary downloads or obscure URLs were found in the provided files.
!
Credentials
The bundle requires Feishu credentials and also reads the Clawdbot config to obtain a gateway auth token — those are proportional to a bridge skill, but the registry incorrectly reports 'no required env vars'. Additional concerns: some code contains a hard-coded appToken ('D1albdySZaU6ncsx4WzcGZfOn1B') in feishu-bitable scripts, and some files load ../feishu-common or ../../.env which may expose environment variables. Multiple different secrets/paths are referenced (FEISHU_APP_SECRET_PATH, ~/.clawdbot/secrets, ~/.claude/mcp.json), increasing the chance of accidental credential exposure.
ℹ
Persistence & Privilege
The bridge includes a setup-service script that writes a macOS launchd plist into ~/Library/LaunchAgents and instructs users to load it (auto-start and KeepAlive). 'always' is false in metadata, but the bundle encourages persistent autostart behavior which increases attack surface if the code is malicious or compromised. The code does not modify other skills' configs, but it does require access to the user's Clawdbot config and secret files.
Scan Findings in Context
[child_process_execSync_usage] unexpected: handle_event.js uses execSync to invoke send.js with interpolated strings (menuKey and generated reply). For a messaging bridge, invoking internal send logic is normal, but using shell execution with unescaped user-controlled values is risky (possible command injection). Safer: call send.js programmatically or properly escape arguments.
[hardcoded_app_token] unexpected: feishu-bitable/add_task.js and add_task_dynamic.js include a hard-coded appToken string. A template/kit should accept tokens from environment/config, not hard-code them. This is suspicious and may leak or misuse credentials.
[reads_local_sensitive_paths] expected: bridge.mjs reads ~/.clawdbot/clawdbot.json to obtain gateway auth token and reads a secret file for FEISHU_APP_SECRET. For a local bridge, reading these local files is expected, but users must be aware this code has access to those tokens.
[launchd_autostart_generation] expected: setup-service.mjs writes a LaunchAgents plist to enable persistent bridge autostart. For a long-running bridge this is an expected convenience, but it elevates persistence and should be enabled only after code audit.
What to consider before installing
This collection contains useful Feishu skills, but exercise caution before installing or enabling the bridge:
- Metadata mismatch: The registry says 'no required env vars' but the README and code require FEISHU_APP_ID/FEISHU_APP_SECRET (or secret file) and a Clawdbot gateway token. Do not provide these credentials unless you trust the source.
- Audit the code: Review the bridge (bridge.mjs), card (send.js + handle_event.js), and bitable scripts. Pay special attention to:
- Hard-coded tokens (remove or rotate them). The feishu-bitable scripts include a hard-coded appToken — treat it as suspicious and do not reuse it.
- Child-process usage: handle_event.js uses execSync with interpolated event data; this can be exploited if an attacker controls event contents. Prefer calling the send logic programmatically rather than using a shell command.
- Files read/written: scripts read ~/.clawdbot/clawdbot.json and secret files. Inspect those configs and ensure they do not contain extra secrets you don't want accessible.
- Test in isolation: Run these skills in a sandboxed or disposable environment (non-production machine or VM) first. Do not run the bridge as a persistent service until you've audited it.
- Least privilege: Create a dedicated Feishu self-built app with minimal permissions required by the features you need and a dedicated Clawdbot gateway token/account; avoid using high-privilege tokens across other services.
- Remove autostart until reviewed: The setup-service script will install a launchd agent; do not load it until you have inspected and are confident in the code.
- If unsure, prefer installing only specific sub-skills you need (and inspect their package.json and code) rather than bulk-installing the entire kit.
If you want, I can (a) point out the exact lines to change to remove shell exec usage, (b) highlight hard-coded tokens and suggest fixes, or (c) produce a short checklist for a code audit to run before enabling the bridge.
